- Introduction
- Setup, Installation, and Basic Configuration
- Working With Reports on the Legacy Web Interface
- Using Centralized Email Security Reporting on the Legacy Web Interface
- Working With Reports on the Cloud Email Security Management Console
- Using Centralized Email Security Reporting on the Cloud Email Security Management Console
- Tracking Messages
- Spam Quarantine
- Centralized Policy, Virus, and Outbreak Quarantines
- Monitoring System Status
- Integrating With LDAP
- Configuring SMTP Routing
- Distributing Administrative Tasks
- Common Administrative Tasks
- Logging
- Troubleshooting
- IP Interfaces and Accessing the Appliance
- Assigning Network and IP Addresses
- Firewall Information
- Additional Resources
- End User License Agreement
- Index
Tracking Messages
This chapter contains the following sections:
- Tracking Service Overview
- Setting Up Centralized Message Tracking
- Checking Message Tracking Data Availability
- Searching for Email Messages
- Understanding Tracking Query Results
- Troubleshooting Message Tracking
Tracking Service Overview
The tracking service of the Cisco Content Security Management appliance complements Email Security appliances. With the Security Management appliance, email administrators have a single place to track the status of messages that traverse any of their Email Security appliances.
The Security Management appliance makes it easy to find the status of messages that Email Security appliances process. Email administrators can quickly resolve help desk calls by determining the exact location of a message. With the Security Management appliance, an administrator can determine if a particular message was delivered, found to contain a virus, or placed in a spam quarantine — or if it is located somewhere else in the mail stream.
Instead of having to search through log files using grep or similar tools, you can use the flexible tracking interface of the Security Management appliance to locate messages. You can use a variety of search parameters in combination
Tracking queries can include:
-
Time Frame: Find a message that was sent between specified dates and times.
-
Envelope Information: Find messages from particular envelope senders or recipients by entering the text strings to match.
-
Subject: Match a text string in the subject line. Warning: Do not use this type of search in environments where regulations prohibit such tracking.
-
Attachment Name: You can search for messages based on an attachment name. Messages that contain at least one attachment with the queried name will appear in the search results.
For performance reasons, the names of files within attachments such as OLE objects or archives such as .ZIP files are not tracked.
Some attachments may not be tracked. For performance reasons, scanning of attachment names occurs only as part of other scanning operations, for example message or content filtering, DLP, or disclaimer stamping. Attachment names are available only for messages that pass through body scanning while the attachment is still attached. Some examples when an attachment name will not appear include (but are not limited to): -
File SHA256: Find messages with the SHA-256 value of the message file
-
Cisco Host: Narrow search criteria to particular Email Security appliances, or search across all managed appliances.
-
Message ID Header and Cisco MID: Find messages by identifying the SMTP “Message-ID:” header or the Cisco message ID (MID).
-
Sender IP Address/ Domain/ Network Owner: Search for messages from a particular IP address, domain name or network owner.
-
Message Event: Find messages that match specified events, such as messages flagged as virus positive, spam positive, or suspected spam, and messages that were delivered, hard bounced, soft bounced, or sent to the Virus Outbreak Quarantine
-
Rejected Connections: Search for messages from a particular IP address, domain name or network owner of the rejected connections in the search results
Setting Up Centralized Message Tracking
To set up centralized message tracking, complete the following procedures in order:
- Enabling Centralized Email Tracking on a Security Management Appliance
- Configuring Centralized Message Tracking on Email Security Appliances
- Adding the Centralized Message Tracking Service to Each Managed Email Security Appliance
- Managing Access to Sensitive Information
Enabling Centralized Email Tracking on a Security Management Appliance
Configuring Centralized Message Tracking on Email Security Appliances
Adding the Centralized Message Tracking Service to Each Managed Email Security Appliance
The steps you follow depend on whether or not you have already added the appliance while configuring another centralized management feature.
Managing Access to Sensitive Information
If you will distribute administrative tasks to other people and you want to restrict their access to sensitive information that may appear in email messages that violate Data Loss Prevention (DLP) policies, see Controlling Access to Sensitive Information in Message Tracking.
Checking Message Tracking Data Availability
You can determine the date range that your message tracking data includes, as well as identify any missing intervals in that data.
Searching for Email Messages
- Searching for Email Messages on the Cloud Email Security Management Console
- Searching for Email Messages on the Legacy Web Interface
- Narrowing the Result Set
- About Message Tracking and Advanced Malware Protection Features
Searching for Email Messages on the Cloud Email Security Management Console
The tracking service of the appliance lets you search for a particular email message or group of messages that match specified criteria, such as the message subject line, date and time range, envelope sender or recipient, or processing event (for example, whether the message was virus positive, spam positive, hard bounced, delivered, and so forth). Message tracking gives you a detailed view of message flow. You can also drill down on particular email messages to see message details, such as the processing events, attachment names, or the envelope and header information.
Note | Although the tracking component provides detailed information about individual email messages, you cannot use it to read the content of messages. |
Step 1 | On the Cloud Email Security Management Console, choose Tracking > Search. | ||||
Step 2 | Select Messages tab or Rejected Connections tab to narrow your search results.
| ||||
Step 3 | (Optional) Click the Advanced Search to display additional search options. | ||||
Step 4 | Enter the following search criteria:
You do not need to complete every field. Except for the Message Event options, the query is an “AND” search. The query returns messages that match the “AND” conditions specified in the search fields. For example, if you specify text strings for the envelope recipient and the subject line parameters, the query returns only messages that match both the specified envelope recipient and the subject line. | ||||
Step 5 | Click Search.
Each row corresponds to an email message. Scroll down to load more messages in the view. If necessary, you can refine your search by entering new search criteria, and run the query again. Alternatively, you can refine the search by narrowing the result set, as described in the following section. |
Searching for Email Messages on the Legacy Web Interface
The Security Management appliance’s tracking service lets you search for a particular email message or group of messages that match specified criteria, such as the message subject line, date and time range, envelope sender or recipient, or processing event (for example, whether the message was virus positive, spam positive, hard bounced, delivered, and so forth). Message tracking gives you a detailed view of message flow. You can also drill down on particular email messages to see message details, such as the processing events, attachment names, or the envelope and header information.
Note | Although the tracking component provides detailed information about individual email messages, you cannot use it to read the content of messages. |
Narrowing the Result Set
After you run a query, you might find that the result set includes more information than you need. Instead of creating a new query, narrow the result set by clicking a value within a row in the list of results. Clicking a value adds the parameter value as a condition in the search. For example, if the query results include messages from multiple dates, click a particular date within a row to show only messages that were received on that date.
Step 1 | Float the cursor over the value that you want to add as a condition. The value is highlighted in yellow.
Use the following parameter values to refine the search: | ||
Step 2 | [New Web Interface Only] In the Message Tracking search criteria, click Modify.
Use the following parameter values to refine the search: | ||
Step 3 | Click the value to refine the search.
The Results section displays the messages that match the original query parameters and the new condition that you added. | ||
Step 4 | If necessary, click additional values in the results to further
refine the search.
|
About Message Tracking and Advanced Malware Protection Features
When searching for file threat information in Message Tracking, keep the following points in mind:
-
To search for malicious files found by the file reputation service, select Advanced Malware Protection Positive for the Message Event option in the Advanced section in Message Tracking.
-
Message Tracking includes only information about file reputation processing and the original file reputation verdicts returned at the time a message was processed. For example, if a file was initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict appears in Tracking results.
In Message Tracking details, the Processing Details section shows: -
Verdict updates are available only in the AMP Verdict Updates report. The original message details in Message Tracking are not updated with verdict changes. To see messages that have a particular attachment, click a SHA-256 in the verdict updates report.
-
Information about File Analysis, including analysis results and whether or not a file was sent for analysis, are available only in the File Analysis report.
Additional information about an analyzed file may be available from the cloud. To view any available File Analysis information for a file, select Monitor > File Analysis and enter the SHA-256 to search for the file. If the File Analysis service has analyzed the file from any source, you can see the details. Results are displayed only for files that have been analyzed.
If the appliance processed a subsequent instance of a file that was sent for analysis, those instances will appear in Message Tracking search results.
Understanding Tracking Query Results
If results are not what you expected, see Troubleshooting Message Tracking.
Tracking query results list all of the messages that match the criteria specified in the tracking query. Except for the Message Event options, the query conditions are added with an “AND” operator. The messages in the result set must satisfy all of the “AND” conditions. For example, if you specify that the envelope sender begins with J and you specify that the subject begins with T , the query returns a message only if both conditions are true for that message.
To view detailed information about a message, click the More Details link in the new web interface or Show Details linkin the legacy web interface, for that message. For more information, see the Message Details.
Note |
|
Message Details
To view detailed information about a particular email message, including the message header information and processing details, click More Details linkfor any item in the search results list. A new window opens with the message details.
The message details include the following sections:
- Verdict Chart and Last State Verdicts
- Envelope and Header Summary
- Sending Host Summary
- Processing Details
Verdict Chart and Last State Verdicts
A Verdict Chart displays information of the various possible verdicts triggered by each engine of the email security appliance.
The following figure shows the various verdicts of each engine:
Note | The service engines that are disabled or license expired are displayed with a verdict “Not Applicable”. |
The Last State verdict of the message determines the final verdict that is triggered after all the possible verdicts of each of the engine in your appliance.
Following are some of the last state verdicts:
-
Delivered: When a message is delivered.
-
Dropped: When a message is dropped.
-
Bounced: When a message is bounced back.
-
Splintered: When the MID of a message is split into multiple MIDs having multiple final states.
-
Quarntined: When a message is quarantined by engines.
-
Queued: When a message is still being processed by an engine and gives out an interim verdict; or when a message is waiting in a queue of a particular engine.
-
Processing: When a message is not completely processed by all the engines; or when a message is waiting in a queue of a particular engine.
-
Last State Not Available: When both last state and verdict charts cannot be retrived, you can view the Last State with no drop-down.
Envelope and Header Summary
This section displays information from the message envelope and header, such as the envelope sender and recipients. It includes the following information:
Received Time: Time that the Email Security appliance received the message.
MID: Message ID.
Subject: Subject line of the message.
The subject line in the tracking results may have the value “(No Subject)” if the message does not have a subject or if the Email Security appliances are not configured to record the subject lines in log files.
Envelope Sender: Address of the sender in the SMTP envelope.
Envelope Recipients: Addresses of the recipients in the SMTP envelope.
Message ID Header: “Message-ID:” header that uniquely identifies each email message. It is inserted in the message when the message is first created. The “Message-ID:” header can be useful when you are searching for a particular message.
Cisco Host: Email Security appliance that processed the message.
SMTP Auth User ID: SMTP authenticated user name of the sender, if the sender used SMTP authentication to send the email. Otherwise, the value is “N/A.”
Attachments: The names of files attached to the message.
Sender Group: The sender group that received the message.
Message Size: The size of the message.
Policy Match (Incoming or Outgoing): The policy that received the message.
Note | If the engine is not able to fetch the details, the value is displayed as “N/A”. |
Sending Host Summary
Reverse DNS Hostname: Hostname of the sending host, as verified by reverse DNS (PTR) lookup.
IP Address: IP address of the sending host.
SBRS Score: (SenderBase Reputation Score). The range is from 10 (likely a trustworthy sender) to -10 (apparent spammer). A score of “None” indicates that there was no information about this host at the time the message was processed.
Processing Details
This section displays various logged status events during the processing of the message.
Entries include information about mail policy processing, such as anti-spam and anti-virus scanning, and other events such as message splitting.
If the message was delivered, the details of the delivery appear here. For example, a message may have been delivered and a copy kept in quarantine.
The last recorded event is highlighted in the processing details.
Summary Tab
This tab displays the summary logs of all the events during the processing of message.
DLP Matched Content Tab
This tab displays content that violates Data Loss Prevention (DLP) policies.
Because this content typically includes sensitive information, such as corporate confidential information or personal information including credit card numbers and health records, you may want to disable access to this content for users who have access, but not Administrator-level access, to the Security Management appliance. See Controlling Access to Sensitive Information in Message Tracking.
URL Details Tab
This tab displays only for messages caught by URL Reputation and URL Category content filters and by outbreak filters not message filters.
This tab displays the following information:
- The reputation score or category associated with the URL
-
The action performed on the URL (rewrite, defang, or redirect)
-
If a message contains multiple URLs, which URL has triggered the filter action.
You can see this tab only if you have configured your Email Security appliance to display this information. See User Guide for AsyncOS for Cisco Email Security Appliances .
To control access to this tab, see Controlling Access to Sensitive Information in Message Tracking
SMTP Log Tab
This section displays a log of messages when the sender of the email fails SMTP authentication.
AMP Log Tab
This section displays a log of messages caught by the Advanced Malware Protection file reputation and file analysis service.
Troubleshooting Message Tracking
Expected Messages Are Missing from Search Results
Problem
Search results did not include messages that should have met the criteria.
Solution
- Results for many searches, especially Message Event searches, depend on your appliance configuration. For example, if you search for a URL Category for which you have not filtered, no results will be found, even if a message contains a URL in that category. Verify that you have configured the Email Security appliance properly to achieve the behavior that you expected. For example, check your mail policies, content and message filters, and quarantine settings.
- See Checking Message Tracking Data Availability.
Attachments Do Not Appear in Search Results
Problem
Attachment names are not found and displayed in search results.
Solution
At least one incoming content filter or other body scanning feature configured and enabled on the ESA. See configuration requirements at Enabling Centralized Email Tracking on a Security Management Appliance and limitations for attachment name searches in Tracking Service Overview.